- gree 
dpb 
CD) E 

d 
European Data Protection Board 


Gur@elines 
© 





Guidelines 2/2019 on the processing of personal data under 
Article 6(1)(b) GDPR in the context of the provision of online 
services to data subjects 


Version 2.0 


8 October 2019 


Adopted 


Version history 





Version 2.0 | 8 October 2019 


Adoption of the Guidelines after public consultation 








Version 1.0 | 9 April 2019 


Adoption of the Guidelines for publication consultation 








1 


Part 1 [Mt FOMUCEON sii pasera senaia ipe a eiarenae nei aai cuss cndesteheneg et dnanda aE dense de steneand cadaneseee 4 
1.1 Ba Ck SOU ee enner ene annae e eea a EE Ee Eo SEEE EEEE EE 4 
1.2 Scope of thesepguidelineSnennenniene a a seek Reeds E N odes 5 

Part 2-Analysisof Article S(1 b) ncuccnarnennnenn iadevages coke Garaenlagha doe aetaeurirh ee Geeenen 5 
2.1 GE Neral observation S sses ian idee bate ia iara a a a E a E 5 
2.2 Interaction of Article 6(1)(b) with other lawful bases for processing ..........cccccccccssseceessteeeeees 7 
2.3 Scope o Article C(I (Ib) ss:iccscehs. ck iden ei ew E ON 8 
2.4 INGGCOSSICY oye se. 25 tess sesh ck e ta deck de E e dese de asin E e a E caeneaseses: 8 
2.5 Necessary for performance of a contract with the data subject ...........ccccccccccesssssssteeeeeeeeeeees 9 
2.6 Termination Of COMtIACT «2.0... eeseeceseeeeseceeeseeeeeeeeesaneseaeesesaeeseaeeseaaeeeaeeseneeesnacessaceneeasessaneneaes 12 
2.7 Necessary for taking steps prior to entering into a contract ...........eeceeesssceceeeesessssseeeeeeeessees 13 

Part 3 — Applicability of Article 6(1)(b) in specific SItUATIONS...........c.cccceccceessecceessseeeessteeeeesseeees 14 
3.1 Processing for ‘service improvement’ ..........cccceeseessssceceeccesssssaeeeeeeecsseeaaaeeeeeeessssssaeeeeeeseesees 14 
3.2 Processing for fraud prevention ..........cccccccccssscccesssseeeessseeccessseeeecsessecessseseceesaueeeesssaeeeeseaaeees 14 
3.3 Processing for online behavioural advertising ............ccccccssssssscccceecsssessseeeeeeeeesssssseeeeeesesseees 14 
3.4 Processing for personalisation Of CONTENL............cc:cccccccccssssssseseeceecssesssnseseeeeeessesssaeeeeeeeeesees 15 


The European Data Protection Board 


Having regard to Article 70(1)e of Regulation 2016/679/EU of the European Parliament and of the 
Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal 
data and on the free movement of such data, and repealing Directive 95/46/EC, 


HAS ADOPTED THE FOLLOWING GUIDELINES 


1 PART 1—INTRODUCTION 


1.1 Background 


Pursuant to Article 8 of the Charter of Fundamental Rights of the European Union, personal data must 
be processed fairly for specified purposes and on the basis of a legitimate basis laid down by law. In 
this regard, Article 6(1) of the General Data Protection Regulation? (GDPR) specifies that processing 
shall be lawful only on the basis of one of six specified conditions set out in Article 6(1)(a) to (f). 
Identifying the appropriate legal basis that corresponds to the objective and essence of the processing 
is of essential importance. Controllers must, inter alia, take into account the impact on data subjects’ 
rights when identifying the appropriate lawful basis in order to respect the principle of fairness. 


Article 6(1)(b) GDPR provides a lawful basis for the processing of personal data to the extent that 
“processing is necessary for the performance of a contract to which the data subject is party or in order 
to take steps at the request of the data subject prior to entering into a contract”.? This supports the 
freedom to conduct a business, which is guaranteed by Article 16 of the Charter, and reflects the fact 
that sometimes the contractual obligations towards the data subject cannot be performed without the 
data subject providing certain personal data. If the specific processing is part and parcel of delivery of 
the requested service, it is in the interests of both parties to process that data, as otherwise the service 
could not be provided and the contract could not be performed. However, the ability to rely on this or 
one of the other legal bases mentioned in Article 6(1) does not exempt the controller from compliance 
with the other requirements of the GDPR. 


Articles 56 and 57 of the Treaty on the Functioning of the European Union define and regulate the 
freedom to provide services within the European Union. Specific EU legislative measures have been 
adopted in respect of ‘information society services’.2 These services are defined as “any service 
normally provided for remuneration, at a distance, by electronic means and at the individual request 
of a recipient of services.” This definition extends to services that are not paid for directly by the 
persons who receive them,’ such as online services funded through advertising. ‘Online services’ as 
used in these guidelines refers to ‘information society services’. 


1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons 
with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General 
Data Protection Regulation). 

2 See also recital 44. 

3 See for example Directive (EU) 2015/1535 of the European Parliament and of the Council, and Article 8 GDPR. 

4 See Recital 18 of Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of 
information society services, in particular electronic commerce, in the Internal Market. 


10. 


The development of EU law reflects the central importance of online services in modern society. The 
proliferation of always-on mobile internet and the widespread availability of connected devices have 
enabled the development of online services in fields such as social media, e-commerce, internet 
search, communication, and travel. While some of these services are funded by user payments, others 
are provided without monetary payment by the consumer, instead financed by the sale of online 
advertising services allowing for targeting of data subjects. Tracking of user behaviour for the purposes 
of such advertising is often carried out in ways the user is often not aware of, and it may not be 
immediately obvious from the nature of the service provided, which makes it almost impossible in 
practice for the data subject to exercise an informed choice over the use of their data. 


Against this background, the European Data Protection Board® (EDPB) considers it appropriate to 
provide guidance on the applicability of Article 6(1)(b) to processing of personal data in the context of 
online services, in order to ensure that this lawful basis is only relied upon where appropriate. 


The Article 29 Working Party (WP29) has previously expressed views on the contractual necessity basis 
under Directive 95/46/EC in its opinion on the notion of legitimate interests of the data controller.’ 
Generally, that guidance remains relevant to Article 6(1)(b) and the GDPR. 


1.2 Scope of these guidelines 


These guidelines are concerned with the applicability of Article 6(1)(b) to processing of personal data 
in the context of contracts for online services, irrespective of how the services are financed. The 
guidelines will outline the elements of lawful processing under Article 6(1)(b) GDPR and consider the 
concept of ‘necessity’ as it applies to “necessary for the performance of a contract’. 


Data protection rules govern important aspects of how online services interact with their users, 
however, other rules apply as well. Regulation of online services involves cross-functional 
responsibilities in the fields of, inter alia, consumer protection law, and competition law. 
Considerations regarding these fields of law are beyond the scope of these guidelines. 


Although Article 6(1)(b) can only apply in a contractual context, these guidelines do not express a view 
on the validity of contracts for online services generally, as this is outside the competence of the EDPB. 
Nonetheless, contracts and contractual terms must comply with the requirements of contract laws 
and, as the case may be for consumer contracts, consumer protection laws in order for processing 
based on those terms to be considered fair and lawful. 


Some general observations on data protection principles are included below, but not all data 
protection issues that may arise when processing under Article 6(1)(b) will be elaborated on. 
Controllers must always ensure that they comply with the data protection principles set out in Article 
5 and all other requirements of the GDPR and, where applicable, the ePrivacy legislation. 


2 PART 2- ANALYSIS OF ARTICLE 6(1)(B) 


2.1 General observations 


5 In this regard, controllers need to fulfil the transparency obligations set out in the GDPR. 
6 Established under Article 68 GDPR. 


7 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 


95/46/EC (WP217). See in particular pages 11, 16, 17, 18 and 55. 


11. 


12. 


13. 


14. 


15. 


16. 


The lawful basis for processing on the basis of Article 6(1)(b) needs to be considered in the context of 
the GDPR as a whole, the objectives set out in Article 1, and alongside controllers’ duty to process 
personal data in compliance with the data protection principles pursuant to Article 5. This includes 
processing personal data in a fair and transparent manner and in line with the purpose limitation and 
data minimisation obligations. 


Article 5(1)(a) GDPR provides that personal data must be processed lawfully, fairly and transparently 
in relation to the data subject. The principle of fairness includes, inter alia, recognising the reasonable 
expectations? of the data subjects, considering possible adverse consequences processing may have 
on them, and having regard to the relationship and potential effects of imbalance between them and 
the controller. 


As mentioned, as a matter of lawfulness, contracts for online services must be valid under the 
applicable contract law. An example of a relevant factor is whether the data subject is a child. In such 
a case (and aside from complying with the requirements of the GDPR, including the ‘specific 
protections’ which apply to children),? the controller must ensure that it complies with the relevant 
national laws on the capacity of children to enter into contracts. Furthermore, to ensure compliance 
with the fairness and lawfulness principles, the controller needs to satisfy other legal requirements. 
For example, for consumer contracts, Directive 93/13/EEC on unfair terms in consumer contracts (the 
“Unfair Contract Terms Directive”) may be applicable.?° Article 6(1)(b) is not limited to contracts 
governed by the law of an EEA member state.” 


Article 5(1)(b) of the GDPR provides for the purpose limitation principle, which requires that personal 
data must be collected for specified, explicit, and legitimate purposes and not further processed ina 
manner that is incompatible with those purposes. 


Article 5(1)(c) provides for data minimisation as a principle, i.e. processing as little data as possible in 
order to achieve the purpose. This assessment complements the necessity assessments pursuant to 
Article 6(1)(b) to (f). 


Both purpose limitation and data minimisation principles are particularly relevant in contracts for 
online services, which typically are not negotiated on an individual basis. Technological advancements 
make it possible for controllers to easily collect and process more personal data than ever before. As 
a result, there is an acute risk that data controllers may seek to include general processing terms in 
contracts in order to maximise the possible collection and uses of data, without adequately specifying 
those purposes or considering data minimisation obligations. WP29 has previously stated: 


The purpose of the collection must be clearly and specifically identified: it must be detailed 
enough to determine what kind of processing is and is not included within the specified purpose, 
and to allow that compliance with the law can be assessed and data protection safeguards 


8 Some personal data are expected to be private or only processed in certain ways, and data processing should not be 
surprising to the data subject. In the GDPR, the concept of ‘reasonable expectations’ is specifically referenced in recitals 47 
and 50 in relation to Article 6(1)(f) and (4). 

° See Recital 38, which refers to children meriting specific protection with regard to their personal data as they may be less 
aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. 
10 A contractual term that has not been individually negotiated is unfair under the Unfair Contract Terms Directive “if, contrary 
to the requirement of good faith, it causes a significant imbalance in the parties' rights and obligations arising under the 
contract, to the detriment of the consumer”. Like the transparency obligation in the GDPR, the Unfair Contract Terms 
Directive mandates the use of plain, intelligible language. Processing of personal data that is based on what is deemed to be 
an unfair term under the Unfair Contract Terms Directive, will generally not be consistent with the requirement under Article 
5(1)(a) GDPR that processing is lawful and fair. 

11 The GDPR applies to certain controllers outside the EEA; see Article 3 GDPR. 


17. 


18. 


19. 


20. 


21. 


applied. For these reasons, a purpose that is vague or general, such as for instance ‘improving 
users' experience’, 'marketing purposes’, 'IT-security purposes’ or ‘future research’ will - without 


more detail - usually not meet the criteria of being ‘specific’. 


2.2 Interaction of Article 6(1)(b) with other lawful bases for processing 


Where processing is not considered ‘necessary for the performance of a contract’, i.e. when a 
requested service can be provided without the specific processing taking place, the EDPB recognises 
that another lawful basis may be applicable, provided the relevant conditions are met. In particular, in 
some circumstances it may be more appropriate to rely on freely given consent under Article 6(1)(a). 
In other instances, Article 6(1)(f) may provide a more appropriate lawful basis for processing. The legal 
basis must be identified at the outset of processing, and information given to data subjects in line with 
Articles 13 and 14 must specify the legal basis. 


It is possible that another lawful basis than Article 6(1)(b) may better match the objective and context 
of the processing operation in question. The identification of the appropriate lawful basis is tied to 
principles of fairness and purpose limitation.” 


The WP29 guidelines on consent also clarify that where “a controller seeks to process personal data 
that are in fact necessary for the performance of a contract, then consent is not the appropriate lawful 
basis”. Conversely, the EDPB considers that where processing is not in fact necessary for the 
performance of a contract, such processing can take place only if it relies on another appropriate legal 
basis.“ 


In line with their transparency obligations, controllers should make sure to avoid any confusion as to 
what the applicable legal basis is. This is particularly relevant where the appropriate legal basis is 
Article 6(1)(b) and a contract regarding online services is entered into by data subjects. Depending on 
the circumstances, data subjects may erroneously get the impression that they are giving their consent 
in line with Article 6(1)(a) when signing a contract or accepting terms of service. At the same time, a 
controller might erroneously assume that the signature of a contract corresponds to a consent in the 
sense of article 6(1)(a). These are entirely different concepts. It is important to distinguish between 
accepting terms of service to conclude a contract and giving consent within the meaning of Article 
6(1)(a), as these concepts have different requirements and legal consequences. 


In relation to the processing of special categories of personal data, in the guidelines on consent, WP29 
has also observed that: 


Article 9(2) does not recognize ‘necessary for the performance of a contract’ as an exception to 
the general prohibition to process special categories of data. Therefore controllers and Member 
States that deal with this situation should explore the specific exceptions in Article 9(2) 
subparagraphs (b) to (j). Should none of the exceptions (b) to (j) apply, obtaining explicit 





12 Article 29 Working Party Opinion 03/2013 on purpose limitation (WP203), page 15-16. 

13 When controllers set out to identify the appropriate legal basis in line with the fairness principle, this will be difficult to 
achieve if they have not first clearly identified the purposes of processing, or if processing personal data goes beyond what is 
necessary for the specified purposes. 

14 For more information on implications in relation to Article 9, see Article 29 Working Party Guidelines on consent under 
Regulation 2016/679 (WP259), endorsed by the EDPB, pages 19-20. 


22. 


23. 


24. 


25. 


consent in accordance with the conditions for valid consent in the GDPR remains the only 
possible lawful exception to process such data. 


2.3 Scope of Article 6(1)(b) 


Article 6(1)(b) applies where either of two conditions are met: the processing in question must be 
objectively necessary for the performance of a contract with a data subject, or the processing must be 
objectively necessary in order to take pre-contractual steps at the request of a data subject. 


2.4 Necessity 


Necessity of processing is a prerequisite for both parts of Article 6(1)(b). At the outset, it is important 
to note that the concept of what is ‘necessary for the performance of a contract’ is not simply an 
assessment of what is permitted by or written into the terms of a contract. The concept of necessity 
has an independent meaning in European Union law, which must reflect the objectives of data 
protection law.’© Therefore, it also involves consideration of the fundamental right to privacy and 
protection of personal data,” as well as the requirements of data protection principles including, 
notably, the fairness principle. 


The starting point is to identify the purpose for the processing, and in the context of a contractual 
relationship, there may be a variety of purposes for processing. Those purposes must be clearly 
specified and communicated to the data subject, in line with the controller’s purpose limitation and 
transparency obligations. 


Assessing what is ‘necessary’ involves a combined, fact-based assessment of the processing “for the 
objective pursued and of whether it is less intrusive compared to other options for achieving the same 
goal”.18 If there are realistic, less intrusive alternatives, the processing is not ‘necessary’.?? Article 
6(1)(b) will not cover processing which is useful but not objectively necessary for performing the 
contractual service or for taking relevant pre-contractual steps at the request of the data subject, even 
if it is necessary for the controller’s other business purposes. 


15 Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page 19. 

16 The CJEU stated in Huber that “what is at issue is a concept [necessity] which has its own independent meaning in 
Community law and which must be interpreted in a manner which fully reflects the objective of that Directive, [Directive 
95/46], as laid down in Article 1(1) thereof”. CJEU, Case C-524/06, Heinz Huber v Bundesrepublik Deutschland, 18 December 
2008, para. 52. 

17 See Articles 7 and 8 of the Charter of Fundamental Rights of the European Union 

18 See EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental right to the protection of personal data, 
page 5. 

19 In Schecke, the CJEU held that, when examining the necessity of processing personal data, the legislature needed to take 
into account alternative, less intrusive measures. CJEU, Joined Cases C-92/09 and C-93/09, Volker und Markus Schecke GbR 
and Hartmut Eifert v Land Hessen, 9. November 2010. This was repeated by the CJEU in the Rigas case where it held that “As 
regards the condition relating to the necessity of processing personal data, it should be borne in mind that derogations and 
limitations in relation to the protection of personal data must apply only in so far as is strictly necessary”. CJEU, Case C-13/16, 
Valsts policijas Rigas reģiona pārvaldes Kārtības policijas pārvalde v Rigas pašvaldības SIA ‘Rigas satiksme’, para. 30. A strict 
necessary test is required for any limitations on the exercise of the rights to privacy and to personal data protection with 
regard to the processing of personal data, see EDPS Toolkit: Assessing the Necessity of Measures that limit the fundamental 
right to the protection of personal data, page 7. 


26. 


27. 


28. 


29. 


30. 


2.5 Necessary for performance of a contract with the data subject 


A controller can rely on the first option of Article 6(1)(b) to process personal data when it can, in line 
with its accountability obligations under Article 5(2), establish both that the processing takes place in 
the context of a valid contract with the data subject and that processing is necessary in order that the 
particular contract with the data subject can be performed. Where controllers cannot demonstrate 
that (a) a contract exists, (b) the contract is valid pursuant to applicable national contract laws, and (c) 
that the processing is objectively necessary for the performance of the contract, the controller should 
consider another legal basis for processing. 


Merely referencing or mentioning data processing in a contract is not enough to bring the processing 
in question within the scope of Article 6(1)(b). On the other hand, processing may be objectively 
necessary even if not specifically mentioned in the contract. In any case, the controller must meet its 
transparency obligations. Where a controller seeks to establish that the processing is based on the 
performance of a contract with the data subject, it is important to assess what is objectively necessary 
to perform the contract. ‘Necessary for performance’ clearly requires something more than a 
contractual clause. This is also clear in light of Article 7(4). Albeit this provision only regards validity of 
consent, it illustratively makes a distinction between processing activities necessary for the 
performance of a contract, and clauses making the service conditional on certain processing activities 
that are not in fact necessary for the performance of the contract. 


In this regard, the EDPB endorses the guidance previously adopted by WP29 on the equivalent 
provision under the previous Directive that ‘necessary for the performance of a contract with the data 
subject’: 


. must be interpreted strictly and does not cover situations where the processing is not 
genuinely necessary for the performance of a contract, but rather unilaterally imposed on the 
data subject by the controller. Also the fact that some processing is covered by a contract does 
not automatically mean that the processing is necessary for its performance. [...] Even if these 
processing activities are specifically mentioned in the small print of the contract, this fact alone 
does not make them ‘necessary’ for the performance of the contract.”° 


The EDPB also recalls the same WP29 guidance stating: 


There is a clear connection here between the assessment of necessity and compliance with the 
purpose limitation principle. It is important to determine the exact rationale of the contract, 
i.e. its substance and fundamental objective, as it is against this that it will be tested whether 
the data processing is necessary for its performance.”* 


When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of an 
online contractual service, regard should be given to the particular aim, purpose, or objective of the 
service. For applicability of Article 6(1)(b), it is required that the processing is objectively necessary for 
a purpose that is integral to the delivery of that contractual service to the data subject. Not excluded 
is processing of payment details for the purpose of charging for the service. The controller should be 
able to demonstrate how the main subject-matter of the specific contract with the data subject cannot, 
as a matter of fact, be performed if the specific processing of the personal data in question does not 


20 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 


95/46/EC (WP217), page 16-17. 
21 Ibid., page 17. 


31. 


32. 


33. 


34. 


35. 


occur. The important issue here is the nexus between the personal data and processing operations 
concerned, and the performance or non-performance of the service provided under the contract. 


Contracts for digital services may incorporate express terms that impose additional conditions about 
advertising, payments or cookies, amongst other things. A contract cannot artificially expand the 
categories of personal data or types of processing operation that the controller needs to carry out for 
the performance of the contract within the meaning of Article 6(1)(b). 


The controller should be able to justify the necessity of its processing by reference to the fundamental 
and mutually understood contractual purpose. This depends not just on the controller’s perspective, 
but also a reasonable data subject’s perspective when entering into the contract, and whether the 
contract can still be considered to be ‘performed’ without the processing in question. Although the 
controller may consider that the processing is necessary for the contractual purpose, it is important 
that they examine carefully the perspective of an average data subject in order to ensure that there is 
a genuine mutual understanding on the contractual purpose. 


In order to carry out the assessment of whether Article 6(1)(b) is applicable, the following questions 
can be of guidance: 


e What is the nature of the service being provided to the data subject? What are its 
distinguishing characteristics? 


e What is the exact rationale of the contract (i.e. its substance and fundamental object)? 
e What are the essential elements of the contract? 


e What are the mutual perspectives and expectations of the parties to the contract? How is 
the service promoted or advertised to the data subject? Would an ordinary user of the 
service reasonably expect that, considering the nature of the service, the envisaged 
processing will take place in order to perform the contract to which they are a party? 


If the assessment of what is ‘necessary for the performance of a contract’, which must be conducted 
prior to the commencement of processing, shows that the intended processing goes beyond what is 
objectively necessary for the performance of a contract, this does not render such future processing 
unlawful per se. As already mentioned, Article 6 makes clear that other lawful bases are potentially 
available prior to the initiation of the processing.” 


If, over the lifespan of a service, new technology is introduced that changes how personal data are 
processed, or the service otherwise evolves, the criteria above need to be assessed anew to determine 
if any new or altered processing operations can be based on Article 6(1)(b). 








Example 1 


A data subject buys items from an online retailer. The data subject wants to pay by credit card and for 
the products to be delivered to their home address. In order to fulfil the contract, the retailer must 
process the data subject’s credit card information and billing address for payment purposes and the 
data subject’s home address for delivery. Thus, Article 6(1)(b) is applicable as a legal basis for these 
processing activities. 








22 See Article 29 Working Party Guidelines on consent under Regulation 2016/679 (WP259), endorsed by the EDPB, page 31, 
in which it is stated that: “Under the GDPR, it is not possible to swap between one lawful basis and another.” 


10 





36. 


37. 


38. 





|However, if the customer has opted for shipment to a pick-up point, the processing of the data | 
|subject’s home address is no longer necessary for the performance of the purchase contract. Any | 
processing of the data subject’s address in this context will require a different legal basis than Article 
6(1)(b). 








Example 2 


The same online retailer wishes to build profiles of the user’s tastes and lifestyle choices based on their 
visits to the website. Completion of the purchase contract is not dependent upon building such 
profiles. Even if profiling is specifically mentioned in the contract, this fact alone does not make it 
‘necessary’ for the performance of the contract. If the on-line retailer wants to carry out such profiling, 
it needs to rely on a different legal basis. 











Within the boundaries of contractual law, and if applicable, consumer law, controllers are free to 
design their business, services and contracts. In some cases, a controller may wish to bundle several 
separate services or elements of a service with different fundamental purposes, features or rationale 
into one contract. This may create a ‘take it or leave it’ situation for data subjects who may only be 
interested in one of the services. 


As a matter of data protection law, controllers need to take into account that the processing activities 
foreseen must have an appropriate legal basis. Where the contract consists of several separate services 
or elements of a service that can in fact reasonably be performed independently of one another, the 
question arises to which extent Article 6(1)(b) can serve as a legal basis. The applicability of Article 
6(1)(b) should be assessed in the context of each of those services separately, looking at what is 
objectively necessary to perform each of the individual services which the data subject has actively 
requested or signed up for. This assessment may reveal that certain processing activities are not 
necessary for the individual services requested by the data subject, but rather necessary for the 
controller’s wider business model. In that case, Article 6(1)(b) will not be a legal basis for those 
activities. However, other legal bases may be available for that processing, such as Article 6(1)(a) or (f), 
provided that the relevant criteria are met. Therefore, the assessment of the applicability of Article 
6(1)(b) does not affect the legality of the contract or the bundling of services as such. 


As WP29 has previously observed, the legal basis only applies to what is necessary for the performance 
of a contract.”? As such, it does not automatically apply to all further actions triggered by non- 
compliance or to all other incidents in the execution of a contract. However, certain actions can be 
reasonably foreseen and necessary within a normal contractual relationship, such as sending formal 
reminders about outstanding payments or correcting errors or delays in the performance of the 
contract. Article 6(1)(b) may cover processing of personal data which is necessary in relation to such 
actions. 





23 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of 
Directive 95/46/EC (WP217) page 17-18. 


11 


39. 


40. 


41. 


42. 


43. 


44. 





Example 3 





A company sells products online. A customer contacts the company because the colour of the product 
purchased is different from what was agreed upon. The processing of personal data of the customer 
[for the purpose of rectifying this issue can be based on Article 6(1)(b). 











Contractual warranty may be part of performing a contract, and thus storing certain data for a specified 
retention time after exchange of goods/services/payment has been finalised for the purpose of 
warranties may be necessary for the performance of a contract. 


2.6 Termination of contract 


A controller needs to identify the appropriate legal basis for the envisaged processing operations 
before the processing commences. Where Article 6(1)(b) is the basis for some or all processing 
activities, the controller should anticipate what happens if that contract is terminated.”4 


Where the processing of personal data is based on Article 6(1)(b) and the contract is terminated in full, 
then as a general rule, the processing of that data will no longer be necessary for the performance of 
that contract and thus the controller will need to stop processing. The data subject might have 
provided their personal data in the context of a contractual relationship trusting that the data would 
only be processed as a necessary part of that relationship. Hence, it is generally unfair to swap to a 
new legal basis when the original basis ceases to exist. 


When a contract is terminated, this may entail some administration, such as returning goods or 
payment. The associated processing may be based on Article 6(1)(b). 


Article 17(1)(a) provides that personal data shall be erased when they are no longer necessary in 
relation to the purposes for which they were collected. Nonetheless, this does not apply if processing 
is necessary for certain specific purposes, including compliance with a legal obligation pursuant to 
Article 17(3)(b), or the establishment, exercise or defence of legal claims, pursuant to Article 17(3)(e). 
In practice, if controllers see a general need to keep records for legal purposes, they need to identify 
a legal basis for this at the outset of processing, and they need to communicate clearly from the start 
for how long they plan to retain records for these legal purposes after the termination of a contract. If 
they do so, they do not need to delete the data upon the termination of the contract. 


In any case, it may be that several processing operations with separate purposes and legal bases were 
identified at the outset of processing. As long as those other processing operations remain lawful and 
the controller communicated clearly about those operations at the commencement of processing in 
line with the transparency obligations of the GDPR, it will still be possible to process personal data 
about the data subject for those separate purposes after the contract has been terminated. 





24 If a contract is subsequently invalidated, it will impact the lawfulness (as understood in Article 5(1)(a)) of continued 
processing. However, it does not automatically imply that the choice of Article 6(1)(b) as the legal basis was incorrect. 


12 


45. 


46. 


47. 








Example 4 


An online service provides a subscription service that can be cancelled at any time. When a contract 
for the service is concluded, the controller provides information to the data subject on the processing 
of personal data. 


The controller explains, inter alia, that as long as the contract is in place, it will process data about the 
use of the service to issue invoices. The applicable legal basis is Article 6(1)(b) as the processing for 
invoicing purposes can be considered to be objectively necessary for the performance of the contract. 
However, when the contract is terminated and assuming there are no pending, relevant legal claims 
or legal requirements to retain the data, the usage history will be deleted. 


Furthermore, the controller informs data subjects that it has a legal obligation in national law to retain 
certain personal data for accounting purposes for a specified number of years. The appropriate legal 
basis is Article 6(1)(c), and retention will take place even if the contract is terminated. 





2.7 Necessary for taking steps prior to entering into a contract 


The second option of Article 6(1)(b) applies where processing is necessary in order to take steps at the 
request of the data subject prior to entering into a contract. This provision reflects the fact that 
preliminary processing of personal data may be necessary before entering into a contract in order to 
facilitate the actual entering into that contract. 


At the time of processing, it may not be clear whether a contract will actually be entered into. The 
second option of Article 6(1)(b) may nonetheless apply as long as the data subject makes the request 
in the context of potentially entering into a contract and the processing in question is necessary to take 
the steps requested. In line with this, where a data subject contacts the controller to enquire about 
the details of the controller’s service offerings, the processing of the data subject’s personal data for 
the purpose of responding to the enquiry can be based on Article 6(1)(b). 


In any case, this provision would not cover unsolicited marketing or other processing which is carried 
out solely on the initiative of the data controller, or at the request of a third party. 








Example 5 


A data subject provides their postal code to see if a particular service provider operates in their area. 
This can be regarded as processing necessary to take steps at the request of the data subject prior to 
entering into a contract pursuant to Article 6(1)(b). 











Example 6 


In some cases, financial institutions have a duty to identify their customers pursuant to national laws. 
In line with this, before entering into a contract with data subjects, a bank requests to see their identity 
documents. 


In this case, the identification is necessary for a legal obligation on behalf of the bank rather than to 
take steps at the data subject’s request. Therefore, the appropriate legal basis is not Article 6(1)(b), 
but Article 6(1)(c). 





13 








48. 


49. 


50. 


51. 


52. 


3 PART 3—APPLICABILITY OF ARTICLE 6(1)(B) IN SPECIFIC 
SITUATIONS 


3.1 Processing for ‘service improvement’? 


Online services often collect detailed information on how users engage with their service. In most 
cases, collection of organisational metrics relating to a service or details of user engagement, cannot 
be regarded as necessary for the provision of the service as the service could be delivered in the 
absence of processing such personal data. Nevertheless, a service provider may be able to rely on 
alternative lawful bases for this processing, such as legitimate interest or consent. 


The EDPB does not consider that Article 6(1)(b) would generally be an appropriate lawful basis for 
processing for the purposes of improving a service or developing new functions within an existing 
service. In most cases, a user enters into a contract to avail of an existing service. While the possibility 
of improvements and modifications to a service may routinely be included in contractual terms, such 
processing usually cannot be regarded as being objectively necessary for the performance of the 
contract with the user. 


3.2 Processing for ‘fraud prevention’ 


As WP29 has previously noted,”° processing for fraud prevention purposes may involve monitoring and 
profiling customers. In the view of the EDPB, such processing is likely to go beyond what is objectively 
necessary for the performance of a contract with a data subject. However, the processing of personal 
data strictly necessary for the purposes of preventing fraud may constitute a legitimate interest of the 
data controller?” and could thus be considered lawful, if the specific requirements of Article 
6(1)(f) (legitimate interests) are met by the data controller. In addition Article 6(1)(c) (legal obligation) 
could also provide a lawful basis for such processing of data. 


3.3. Processing for online behavioural advertising 


Online behavioural advertising, and associated tracking and profiling of data subjects, is often used to 
finance online services. WP29 has previously stated its view on such processing, stating: 


[contractual necessity] is not a suitable legal ground for building a profile of the user’s tastes 
and lifestyle choices based on his clickstream on a website and the items purchased. This is 
because the data controller has not been contracted to carry out profiling, but rather to deliver 
particular goods and services, for example.” 


As a general rule, processing of personal data for behavioural advertising is not necessary for the 
performance of a contract for online services. Normally, it would be hard to argue that the contract 


25 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council 
of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 
22.05.2019, p. 1), which will apply as from 1 January 2022. 

26 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of 
Directive 95/46/EC (WP217), page 17. 

27 See Recital 47, sixth sentence. 

28 Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of 
Directive 95/46/EC (WP217), page 17. 


14 


53. 


54. 


55. 


56. 


57. 


had not been performed because there were no behavioural ads. This is all the more supported by the 
fact that data subjects have the absolute right under Article 21 to object to processing of their data for 
direct marketing purposes. 


Further to this, Article 6(1)(b) cannot provide a lawful basis for online behavioural advertising simply 
because such advertising indirectly funds the provision of the service. Although such processing may 
support the delivery of a service, this in itself is not sufficient to establish that it is necessary for the 
performance of the contract at issue. The controller would need to consider the factors outlined in 
paragraph 33. 


Considering that data protection is a fundamental right guaranteed by Article 8 of the Charter of 
Fundamental Rights, and taking into account that one of the main purposes of the GDPR is to provide 
data subjects with control over information relating to them, personal data cannot be considered as a 
tradeable commodity. Even if the data subject can agree to the processing of personal data,” they 
cannot trade away their fundamental rights through this agreement.*° 


The EDPB also notes that, in line with ePrivacy requirements and the existing WP29 opinion on 
behavioural advertising, and Working Document 02/2013 providing guidance on obtaining consent 
for cookies,’ controllers must obtain data subjects’ prior consent to place the cookies necessary to 
engage in behavioural advertising. 


The EDPB also notes that tracking and profiling of users may be carried out for the purpose of 
identifying groups of individuals with similar characteristics, to enable targeting advertising to similar 
audiences. Such processing cannot be carried out on the basis of Article 6(1)(b), as it cannot be said to 
be objectively necessary for the performance of the contract with the user to track and compare users’ 
characteristics and behaviour for purposes which relate to advertising to other individuals.” 


3.4 Processing for personalisation of content** 


The EDPB acknowledges that personalisation of content may (but does not always) constitute an 
intrinsic and expected element of certain online services, and therefore may be regarded as necessary 
for the performance of the contract with the service user in some cases. Whether such processing can 
be regarded as an intrinsic aspect of an online service, will depend on the nature of the service 
provided, the expectations of the average data subject in light not only of the terms of service but also 
the way the service is promoted to users, and whether the service can be provided without 
personalisation. Where personalisation of content is not objectively necessary for the purpose of the 
underlying contract, for example where personalised content delivery is intended to increase user 





29 See Directive (EU) 2019/770 of the European Parliament and of the Council of 20 May 2019 on certain aspects concerning 
contracts for the supply of digital content and digital services. 

30 Besides the fact that the use of personal data is regulated by the GDPR, there are additional reasons why processing of 
personal data is conceptually different from monetary payments. For example, money is countable, meaning that prices can 
be compared in a competitive market, and monetary payments can normally only be made with the data subject’s 
involvement. Furthermore, personal data can be exploited by several services at the same time. Once control over one’s 
personal data has been lost, that control may not necessarily be regained. 

31 Article 29 Working Party Opinion 2/2010 on online behavioural advertising (WP171). 

32 Article 29 Working Party Working Document 02/2013 providing guidance on obtaining consent for cookies (WP208). 

33 See also Article 29 Working Party Guidelines on Automated individual decision-making and Profiling for the purposes of 
Regulation 2016/679 (WP251rev.01), endorsed by the EDPB, page 13. 

34 Online services may also need to take into account Directive (EU) 2019/770 of the European Parliament and of the Council 
of 20 May 2019 on certain aspects concerning contracts for the supply of digital content and digital services (OJ L 136, 
22.05.2019, p. 1), which will apply as from 1 January 2022. 


15 


engagement with a service but is not an integral part of using the service, data controllers should 
consider an alternative lawful basis where applicable. 








Example 7 


An online hotel search engine monitors past bookings of users in order to create a profile of their 
typical expenditure. This profile is subsequently used to recommend particular hotels to the user when 
returning search results. In this case, profiling of user’s past behaviour and financial data would not be 
objectively necessary for the performance of a contract, i.e. the provision of hospitality services based 
on particular search criteria provided by the user. Therefore, Article 6(1)(b) would not be applicable to 
this processing activity. 











Example 8 


An online marketplace allows potential buyers to browse for and purchase products. The marketplace 
wishes to display personalised product suggestions based on which listings the potential buyers have 
previously viewed on the platform in order to increase interactivity. This personalisation it is not 
objectively necessary to provide the marketplace service. Thus, such processing of personal data 
cannot rely on Article 6(1)(b) as a legal basis. 





16 








